I'm a technology, privacy, and information security reporter and most recently the author of the book This Machine Kills Secrets, a chronicle of the history and future of information leaks, from the Pentagon Papers to WikiLeaks and beyond.
I've covered the hacker beat for Forbes since 2007, with frequent detours into digital miscellania like switches, servers, supercomputers, search, e-books, online censorship, robots, and China. My favorite stories are the ones where non-fiction resembles science fiction. My favorite sources usually have the word "research" in their titles.
Since I joined Forbes, this job has taken me from an autonomous car race in the California desert all the way to Beijing, where I wrote the first English-language cover story on the Chinese search billionaire Robin Li for Forbes Asia. Black hats, white hats, cyborgs, cyberspies, idiot savants and even CEOs are welcome to email me at agreenberg (at) forbes.com. My PGP public key can be found here.

Hacker Will Expose Potential Security Flaw In Four Million Hotel Room Keycard Locks

Brocious demonstrating his unlocking tool on an Onity lock in a New York City hotel.

The next time you stay in a hotel room, run your fingers under the keycard lock outside your door. If you find a DC power port there, take note: With a few hacker tricks and a handful of cheap hardware, that tiny round hole might offer access to your room just as completely as your keycard.

At the Black Hat security conference Tuesday evening, a Mozilla software developer and 24-year old security researcher named Cody Brocious plans to present a pair of vulnerabilities he’s discovered in hotel room locks from the manufacturer Onity, whose devices are installed on the doors of between four and five million hotel rooms around the world according to the company’s figures. Using an open-source hardware gadget Brocious built for less than $50, he can insert a plug into that DC port and sometimes, albeit unreliably, open the lock in a matter of seconds. “I plug it in, power it up, and the lock opens,” he says simply.

In fact, Brocious’s break-in trick isn’t quite so straightforward. Testing a standard Onity lock he ordered online, he’s able to easily bypass the card reader and trigger the opening mechanism every time. But on three Onity locks installed on real hotel doors he and I tested at well-known independent and franchise hotels in New York, results were much more mixed: Only one of the three opened, and even that one only worked on the second try, with Brocious taking a break to tweak his software between tests.

Even with an unreliable method, however, Brocious’s work–and his ability to open one out of the three doors we tested without a key–suggests real flaws in Onity’s security architecture. And Brocious says he plans to release all his research in a paper as well as source code through his website following his talk, potentially enabling others to perfect his methods.

Brocious’s exploit works by spoofing a portable programming device that hotel staff use to control a facility’s locks and set which master keys open which doors. The portable programmer, which plugs into the DC port under the locks, can also open any door, even providing power through that port to trigger the mechanism of a door lock in which the battery has run out.

The system’s vulnerability arises, Brocious says, from the fact that every lock’s memory is entirely exposed to whatever device attempts to read it through that port. Though each lock has a cryptographic key that’s required to trigger its “open” mechanism, that string of data is also stored in the lock’s memory, like a spare key hidden under the welcome mat. So it can be immediately accessed by Brocious’s own spoofed portable device and used to open the door a fraction of a second later.

Brocious believes that the unreliability of his method stems from timing issues in how his hacked-together unlocking device communicates with Onity’s locks. He doesn’t plan to complete the development and debugging of the technique himself, due to what he says are time constraints and concerns about what a universally effective exploit would mean for the security of millions of hotel guests. But he believes that with more experimentation and tweaking, someone could easily access a significant fraction of hotel rooms around the country without leaving a trace.

In fact, Brocious isn’t the only one who knows his tricks. His former employer, a startup that sought to reverse engineer Onity’s hotel front desk system and offer a cheaper and more interoperable product, sold the intellectual property behind Brocious’s hack to the locksmith training company the Locksmith Institute (LSI) for $20,000 last year. LSI students, who often include law enforcement, may already have the ability to open Onity doors at will.

“With how stupidly simple this is, it wouldn’t surprise me if a thousand other people have found this same vulnerability and sold it to other governments,” says Brocious. “An intern at the NSA could find this in five minutes.”

The ability to access the devices’ memory is just one of the two vulnerabilities Brocious says he found in Onity’s locks. He says the company also uses a weak encryption scheme that allows him to derive the “site code”–a unique numerical key for every facility–from two cards encoded one after another for the same room. By reading the encrypted data off of two cards and testing thousands of potential site codes against both cards until the decoded data displays a predictable interval between the two, he can find the site code and use it to create more card keys with a magnetizing device. But given that he can only create more cards for the same room as the two keys he’s been issued, that security flaw represents a fairly low risk compared with the ability to open any door arbitrarily.

Brocious says he stumbled upon the the flaws in Onity’s locks while working as the chief technology officer for a startup called Unified Platform Management Corporation, which sought to compete with bigger players in the hotel lock industry by creating a universal front end system for hotels that used common lock technologies. Brocious was hired to reverse engineer hotel locks, and Onity was his first target. The discovery of Onity’s security vulnerabilities was entirely unintentional, he says.

Post Your Comment

Post Your Reply

Forbes writers have the ability to call out member comments they find particularly interesting. Called-out comments are highlighted across the Forbes network. You'll be notified if your comment is called out.

Comments

As I read this, it will now be unsafe to stay in any hotel that has these particular door locks. Until such time as The Public can readily verify that the locks on their hotel room door has been replaced, it could seriously affect travel decisions by anyone that has read about this. How are we (the traveling public) supposed to do that? Do we blindly accept the this work has been done? Do we trust the desk clerk to know about this and answer us honestly if we ask? Do we trust the hotel to have done this? I hate to say it, but there needs to be a government level oversight to FORCE compliance of the lock replacements.

It would be good for Forbes to do a follow-up article on this specific issue and show consumers exactly what these locks look like so we can spot them, and then follow-up periodically to see what effort has been made to replace the affected locks. If non-compliant hotel chains are called-out my name it will encourage them to make the necessary changes.

In the interim, I suppose we could all squirt some epoxy up into the access hole, thus forcing them to replace the locks . . . however inconvenient it may be, it is less inconvenient than being robbed, attacked, murdered, or raped.

Unsafe huh? About as unsafe as you staying in your house with any mechanical key lock, which can be picked a lot more quickly and easily that it took Brocious to defeat the electronic lock. Should we all expect those manufacturers to replace every lock they’ve ever manufactured?

I have been in the hotel industry for 15 years now. This has never happened in any hotel I have worked in nor has it happened to anyone I know. To think that you would want to destroy property, and at such a heavy cost to the hotel (which would make rates go up) is completely ludicrous and immature. This is all based on some hacker guy’s experiment. It didn’t even work most of the time. Common thieves are not in the habit of going in and taking their time trying to rob a room. They will be more likely to break into your car, particularly if you leave anything in it or, as Jay said, your house. The key to knowing if a hotel is safe to stay at? Trip Advisor for starters, and then test the staff. Ask for a new key to your room. Did they ask for ID? If you didn’t bring ID then what did they do? Did they give you a key anyways? If they just give you a key and don’t bother to check ID, don’t stay there again.

Yeah, it’s a bit arrogant and uncool of Brocious to not give the designer of the lock at Onity a chance to try to come up with a solution before going public, but if he wants to paint a big red target on his forehead, that’s his business. Now, every dedicated white hatter is going to be looking at everything he designs and if a flaw is found, it’ll be published without giving Brocious a chance to respond. :)

I’ve noticed a lot of people commenting on the negativity of Mr. Brocious not contacting the company, Onity or UTC, prior to this release. However, has anyone verified whether or not the company he co-founded while he discovered this information ever attempted to make contact? If they at least attempted I wouldn’t blame him for his actions.

I find it hard to believe that a start-up competitor within the same industry found a security vulnerability as large as this and never attempted to make contact. So either they tried and were shut down ie. they were never paid\ or could agreed, or they simply never contacted the company because they knew they would get sued.

If I’m in the business of making money I would have, at minimal, tried to make contact to find out what, if anything, I could get out of the discovery. A blackhat presentation of this nature only solidifies Mr. Brocious his 15min of fame. The other people in the start-up have received nothing. Seems to me that if the other people in this company had an issue with it they could have beat Mr. Brocious over the head and stolen his “It’s fun to use learning for Evil” shirt.

You should not have to reverse engineer a patented product; the patent must disclose enough information to make the product. if you have to reverse engineer the patented part, the patent probably is not valid.

You should not have to reverse engineer a patented product; the patent must disclose enough information to make the product. if you have to reverse engineer the patented part, the patent is probably not valid.